It is unfortunate that things like this do happen. Here are some tips to help prevent this from happening:

Correct Registration - Keep your domain name's contact information current. A domain name is like a car - the name on the title determines who registered it, not the person who paid for it. In the domain name world, the Whois database contact information is the title. Make sure:

You enter correct and valid information in the registrant, administrative, technical, and billing contact fields.

The listed registrant is the exact person or entity you want to have legal rights over the domain name.

You have a valid business license for the listed company and a government-issued photo ID for the person listed as the registrant. That way, if you do lose access to your account or domain name, you can validate registration of the domain name in the future.

Administrative Email Address - The administrative contact email address has the authority to approve a transfer of the domain name to another registrar. Do not allow the email address to become outdated or expire because this allows someone else to sign up for the email address, providing easy access to the account and domain name.

Login Regularly - Be vigilant: Regularly log in to your customer account and make sure your account and domain name contacts are correct. If your domain name is with us, you might consider Domain Monitoring. This service alerts you via email when your domain name's settings change.

Lock Your Domain Name - To prevent unauthorized transfers to another registrar, lock your domain name from within your account. To help prevent your domain name from being moved out of your account, consider Protected Registration. Your domain name can be upgraded to add this enhancement. If your domain is with another registrar, you may only have the ability to lock your domain.

Be a Human Firewall - DO NOT give your customer account login, password, credit card, or shopper PIN information to anyone, including your webmaster. Webmasters NEVER need direct access to your domain name. They need access to your hosting account login and password. Use the Account Administrator feature of your account to grant access levels to others who need to manage domain names in your account.

If you find something that isn't correct or receive a notification of a change that you didn't do please email Undo@GoDaddy.com as soon as possible. If you have a domain that has been removed, please contact TransferDisputes@GoDaddy.com. The faster you are able to send the email, the higher chance we have at recovering the change/transfer. Replies usually come by the following business day. If you have any questions, please let me know or you can also contact our 24/7 support.

The Following User Says Thank You to SpywareDr For This Useful Post:

Bluehost has an excellent reputation. Register.com as well. I've used TRK for clients as well as some local hosts. Some people who database sensitive info feel they should use off-shore hosts but i'm not sure that makes much difference. A client used a Philippine host that associated her domain with some porn sites to gain secondary add revenue.

It's nice that Bluehost includes domain registration for excellent rates. If your needs are simple and your site modest, that can be fine. But if you anticipate a strong commercial site and evolving needs, it can be useful to manage your domains separately from your web site host. That way, you can seamlessly migrate at any time. But again, you want an established organization. If you do register your domains though your web host, you might want to check who their domain registrar is. Some like register.com and tucows are well established. Some less so.

I'll also note that some country domains (2 letter) have become more popular lately. The better ones are managed properly (like .it and .ca) but some like .tv and .ta are wide open and managed by small overseas companies. I'd be a little careful about betting your business on one of those. A secondary domain maybe...

Thanks, James. Great set of tips.
Domain locking should be quite sufficient if the system is set up properly and people follow some of the other points you mention. For example, most registrars lock domains by default now.

It's not uncommon for people to send the setup email to their web designers. It often includes all passwords when domain service is included.

However, personally I've had several bad experiences with GoDaddy, mainly extracting clients with troubles there. I can appreciate a larger business with more customers will tend to have more troubles but GoDaddy was not cooperative and at the time, the transform process was well buried as was the procedure. I knew what needed to be done but not how to find the settings. Most hosts use CPanel or similar, a well designed web management platform. GoDaddys is less than intuitive, to put it mildly.

I also prefer complete services at a good price, such as BlueHost or TRK. That way, simple changes can be easily effected. GoDaddy however tends to nickel and dime you. The mentioned Protected Registration would be an example.

But as they say - your mileage may vary. I've met a few who like GoDaddy and I've been very happy with Toyota. ;-)

This has just happened to me - Google offered a cheap domain registration for some apps thing that I never got much use of - it appears they registered the domain via - you guessed - GoDaddy. In May I was warned to tick "auto renew" in the impenetrable Google admin page - I did so. Last week I discovered the site displaying a Nike holding page. I could not gain access to Godaddy account. Yesterday I sent photo ID and all the data asked for to reassign Godaddy password. This morning Godaddy tell me I am not the registered owner of the domain and the matter is closed. "Who is" shows a chinese owner who acquired the name on 5th July - just about the time I began to move to move the name to a new host (oddly enough). So Godaddy is implicated and as far as I can see the Mighty Google is implicated. I expect an offer to purchase my domain name back ay day now - not a lot of use to anyone else at is is based on my name. Had a new set of business cards printed three months ago featuring the domain name and now have a magnetic strip on my car advertising -in effect - Nike. Thanks Godaddy - thanks Google.

The fact that GoDaddy notified you of the domain being unlocked (and thus able to be transferred) and you did nothing will probably be their out. They notified you.

How the culprits managed to get it unlocked is the curious part. I would suspect impersonation and using some sort of lost password thing. But obviously a total lack of care on GoDaddys part. Lifting a domain thats not locked is much easier.

GoDaddy uses a non-standard interface and process. I transferred a friends domain off GoDaddy and it took a bit of digging to find how. The help files did not tell you how to leave. I refuse to use GoDaddy. For reasons others mention but also because they encourage a lot of the hostage domain activity and spam sites that crosslink each other but have no value except Google Ad revenue. I can think of a long list of issues actually. Crap on the web is commonly hosted by them.

Don't know what to suggest on the stolen domain other than contacting ICANN. A Youtube video exposing GoDaddy would not be a bad idea also. I had no idea this was going on with locked domains. But I would definitely move my domains to a more reputable registrar. Who wants to support organizations that abuse their customers and their market space?